iptables: reduce binary size

* drop unused lenient restore patch * instead of statically linking core extensions, build shared libraries for reuse in fw3 * strip outdated match revisions and aliases to trim down library size Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 45758
2015-05-26 09:16:50 +00:00
parent ecb14f4a5d
commit 1c00b6bc7f
4 changed files with 195 additions and 176 deletions
--- a/package/network/utils/iptables/Makefile
+++ b/package/network/utils/iptables/Makefile
@@ -392,7 +392,7 @@ define Package/libiptc
 $(call Package/iptables/Default)
  SECTION:=libs
  CATEGORY:=Libraries
-  DEPENDS:=+libip4tc +libip6tc
+  DEPENDS:=+libip4tc +libip6tc +libxtables
  TITLE:=IPv4/IPv6 firewall - shared libiptc library (compatibility stub)
 endef
@@ -401,6 +401,7 @@ $(call Package/iptables/Default)
  SECTION:=libs
  CATEGORY:=Libraries
  TITLE:=IPv4 firewall - shared libiptc library
  DEPENDS:=+libxtables
 endef
 define Package/libip6tc
@@ -408,6 +409,7 @@ $(call Package/iptables/Default)
  SECTION:=libs
  CATEGORY:=Libraries
  TITLE:=IPv6 firewall - shared libiptc library
  DEPENDS:=+libxtables
 endef
 define Package/libxtables
@@ -425,7 +427,8 @@ TARGET_CPPFLAGS := \
 TARGET_CFLAGS += \
 	-I$(PKG_BUILD_DIR)/include \
 	-I$(LINUX_DIR)/user_headers/include \
-	-ffunction-sections -fdata-sections
+	-ffunction-sections -fdata-sections \
 	-DNO_LEGACY
 TARGET_LDFLAGS += \
 	-Wl,--gc-sections
@@ -466,8 +469,7 @@ define Build/InstallDev
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libip*tc.pc $(1)/usr/lib/pkgconfig/
 	# XXX: needed by firewall3
-	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext*.so $(1)/usr/lib/
 	$(CP) $(PKG_BUILD_DIR)/extensions/libext*.a $(1)/usr/lib/iptables/
 endef
 define Package/iptables/install
@@ -490,16 +492,19 @@ endef
 define Package/libip4tc/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
 	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
 endef
 define Package/libip6tc/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
 	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
 endef
 define Package/libxtables/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
 	$(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
 endef
 define BuildPlugin
--- a/package/network/utils/iptables/patches/400-lenient-restore.patch
+++ b/package/network/utils/iptables/patches/400-lenient-restore.patch
@@ -1,172 +0,0 @@
 --- a/iptables/ip6tables-restore.c
 +++ b/iptables/ip6tables-restore.c
@@ -14,6 +14,8 @@
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
 +#include <stdarg.h>
 +#include <setjmp.h>
 #include "ip6tables.h"
 #include "xtables.h"
 #include "libiptc/libip6tc.h"
@@ -25,6 +27,7 @@
 #define DEBUGP(x, args...)
 #endif
 +static jmp_buf jmp;
 static int binary = 0, counters = 0, verbose = 0, noflush = 0;
 /* Keeping track of external matches and targets.  */
@@ -35,6 +38,7 @@ static const struct option options[] = {
 	{.name = "test",     .has_arg = false, .val = 't'},
 	{.name = "help",     .has_arg = false, .val = 'h'},
 	{.name = "noflush",  .has_arg = false, .val = 'n'},
 +	{.name = "lenient",  .has_arg = false, .val = 'l'},
 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{.name = "table",    .has_arg = true,  .val = 'T'},
 	{NULL},
@@ -51,6 +55,7 @@ static void print_usage(const char *name
 			"	   [ --test ]\n"
 			"	   [ --help ]\n"
 			"	   [ --noflush ]\n"
 +			"	   [ --lenient ]\n"
 			"          [ --modprobe=<command>]\n", name);
 	exit(1);
@@ -114,6 +119,17 @@ static void free_argv(void) {
 		free(newargv[i]);
 }
 +static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
 +{
 +	va_list args;
 +	fprintf(stderr, "line %d: ", line);
 +	va_start(args, msg);
 +	vfprintf(stderr, msg, args);
 +	va_end(args);
 +	fprintf(stderr, "\n");
 +	longjmp(jmp, status);
 +}
 +
 static void add_param_to_argv(char *parsestart)
 {
 	int quote_open = 0, escaped = 0, param_len = 0;
@@ -204,7 +220,7 @@ int ip6tables_restore_main(int argc, cha
 	init_extensions6();
 #endif
 -	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
 +	while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
 		switch (c) {
 			case 'b':
 				binary = 1;
@@ -225,6 +241,9 @@ int ip6tables_restore_main(int argc, cha
 			case 'n':
 				noflush = 1;
 				break;
 +			case 'l':
 +				ip6tables_globals.exit_err = catch_exit_error;
 +				break;
 			case 'M':
 				xtables_modprobe_program = optarg;
 				break;
@@ -437,8 +456,11 @@ int ip6tables_restore_main(int argc, cha
 			for (a = 0; a < newargc; a++)
 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
 -			ret = do_command6(newargc, newargv,
 -					 &newargv[2], &handle, true);
 +			if (!setjmp(jmp))
 +				ret = do_command6(newargc, newargv,
 +						 &newargv[2], &handle, true);
 +			else
 +				ret = 1;
 			free_argv();
 			fflush(stdout);
 --- a/iptables/iptables-restore.c
 +++ b/iptables/iptables-restore.c
@@ -11,6 +11,8 @@
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
 +#include <stdarg.h>
 +#include <setjmp.h>
 #include "iptables.h"
 #include "xtables.h"
 #include "libiptc/libiptc.h"
@@ -22,6 +24,7 @@
 #define DEBUGP(x, args...)
 #endif
 +static jmp_buf jmp;
 static int binary = 0, counters = 0, verbose = 0, noflush = 0;
 /* Keeping track of external matches and targets.  */
@@ -32,6 +35,7 @@ static const struct option options[] = {
 	{.name = "test",     .has_arg = false, .val = 't'},
 	{.name = "help",     .has_arg = false, .val = 'h'},
 	{.name = "noflush",  .has_arg = false, .val = 'n'},
 +	{.name = "lenient",  .has_arg = false, .val = 'l'},
 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{.name = "table",    .has_arg = true,  .val = 'T'},
 	{NULL},
@@ -50,6 +54,7 @@ static void print_usage(const char *name
 			"	   [ --test ]\n"
 			"	   [ --help ]\n"
 			"	   [ --noflush ]\n"
 +			"	   [ --lenient ]\n"
 			"	   [ --table=<TABLE> ]\n"
 			"          [ --modprobe=<command>]\n", name);
@@ -113,6 +118,17 @@ static void free_argv(void) {
 		free(newargv[i]);
 }
 +static void catch_exit_error(enum xtables_exittype status, const char *msg, ...)
 +{
 +	va_list args;
 +	fprintf(stderr, "line %d: ", line);
 +	va_start(args, msg);
 +	vfprintf(stderr, msg, args);
 +	va_end(args);
 +	fprintf(stderr, "\n");
 +	longjmp(jmp, status);
 +}
 +
 static void add_param_to_argv(char *parsestart)
 {
 	int quote_open = 0, escaped = 0, param_len = 0;
@@ -204,7 +220,7 @@ iptables_restore_main(int argc, char *ar
 	init_extensions4();
 #endif
 -	while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
 +	while ((c = getopt_long(argc, argv, "bcvthnlM:T:", options, NULL)) != -1) {
 		switch (c) {
 			case 'b':
 				binary = 1;
@@ -225,6 +241,9 @@ iptables_restore_main(int argc, char *ar
 			case 'n':
 				noflush = 1;
 				break;
 +			case 'l':
 +				iptables_globals.exit_err = catch_exit_error;
 +				break;
 			case 'M':
 				xtables_modprobe_program = optarg;
 				break;
@@ -437,8 +456,11 @@ iptables_restore_main(int argc, char *ar
 			for (a = 0; a < newargc; a++)
 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
 -			ret = do_command4(newargc, newargv,
 -					 &newargv[2], &handle, true);
 +			if (!setjmp(jmp))
 +				ret = do_command4(newargc, newargv,
 +						 &newargv[2], &handle, true);
 +			else
 +				ret = 1;
 			free_argv();
 			fflush(stdout);
--- a/package/network/utils/iptables/patches/600-shared-libext.patch
+++ b/package/network/utils/iptables/patches/600-shared-libext.patch
@@ -0,0 +1,78 @@
 Index: iptables-1.4.21/extensions/GNUmakefile.in
 ===================================================================
 --- iptables-1.4.21.orig/extensions/GNUmakefile.in
 +++ iptables-1.4.21/extensions/GNUmakefile.in
@@ -71,7 +71,7 @@ pf6_solibs    := $(patsubst %,libip6t_%.
 #
 # Building blocks
 #
 -targets := libext.a libext4.a libext6.a matches.man targets.man
 +targets := libiptext.so libiptext4.so libiptext6.so matches.man targets.man
 targets_install :=
 libext_objs := ${pfx_objs}
 libext4_objs := ${pf4_objs}
@@ -96,7 +96,7 @@ clean:
 distclean: clean
 init%.o: init%.c
 -	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init ${CFLAGS} -o $@ -c $<;
 +	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -D_INIT=$*_init  -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
 -include .*.d
@@ -130,16 +130,16 @@ xt_statistic_LIBADD = -lm
 #	handling code in the Makefiles.
 #
 lib%.o: ${srcdir}/lib%.c
 -	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init ${CFLAGS} -o $@ -c $<;
 +	${AM_VERBOSE_CC} ${CC} ${AM_CPPFLAGS} ${AM_DEPFLAGS} ${AM_CFLAGS} -DNO_SHARED_LIBS=1 -D_INIT=lib$*_init -DPIC -fPIC ${CFLAGS} -o $@ -c $<;
 -libext.a: initext.o ${libext_objs}
 -	${AM_VERBOSE_AR} ${AR} crs $@ $^;
 +libiptext.so: initext.o ${libext_objs}
 +	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
 -libext4.a: initext4.o ${libext4_objs}
 -	${AM_VERBOSE_AR} ${AR} crs $@ $^;
 +libiptext4.so: initext4.o ${libext4_objs}
 +	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
 -libext6.a: initext6.o ${libext6_objs}
 -	${AM_VERBOSE_AR} ${AR} crs $@ $^;
 +libiptext6.so: initext6.o ${libext6_objs}
 +	${AM_VERBOSE_CCLD} ${CCLD} ${AM_LDFLAGS} -shared ${LDFLAGS} -o $@ $^ -L../libxtables/.libs -lxtables ${$*_LIBADD};
 initext_func  := $(addprefix xt_,${pfx_build_static})
 initext4_func := $(addprefix ipt_,${pf4_build_static})
 Index: iptables-1.4.21/iptables/Makefile.am
 ===================================================================
 --- iptables-1.4.21.orig/iptables/Makefile.am
 +++ iptables-1.4.21/iptables/Makefile.am
@@ -5,7 +5,8 @@ AM_CPPFLAGS      = ${regular_CPPFLAGS} -
 xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
 xtables_multi_CFLAGS   = ${AM_CFLAGS}
 -xtables_multi_LDADD    = ../extensions/libext.a
 +xtables_multi_LDADD    =
 +xtables_multi_LDFLAGS  = -L../extensions/ -liptext
 if ENABLE_STATIC
 xtables_multi_CFLAGS  += -DALL_INCLUSIVE
 endif
@@ -13,13 +14,15 @@ if ENABLE_IPV4
 xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
                          iptables-standalone.c iptables.c
 xtables_multi_CFLAGS  += -DENABLE_IPV4
 -xtables_multi_LDADD   += ../libiptc/libip4tc.la ../extensions/libext4.a
 +xtables_multi_LDADD   += ../libiptc/libip4tc.la
 +xtables_multi_LDFLAGS += -liptext4
 endif
 if ENABLE_IPV6
 xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
                           ip6tables-standalone.c ip6tables.c
 xtables_multi_CFLAGS  += -DENABLE_IPV6
 -xtables_multi_LDADD   += ../libiptc/libip6tc.la ../extensions/libext6.a
 +xtables_multi_LDADD   += ../libiptc/libip6tc.la
 +xtables_multi_LDFLAGS += -liptext6
 endif
 xtables_multi_SOURCES += xshared.c
 xtables_multi_LDADD   += ../libxtables/libxtables.la -lm
--- a/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
+++ b/package/network/utils/iptables/patches/700-disable-legacy-revisions.patch
@@ -0,0 +1,108 @@
 Index: iptables-1.4.21/extensions/libxt_conntrack.c
 ===================================================================
 --- iptables-1.4.21.orig/extensions/libxt_conntrack.c
 +++ iptables-1.4.21/extensions/libxt_conntrack.c
@@ -1157,6 +1157,7 @@ static void state_save(const void *ip, c
 }
 static struct xtables_match conntrack_mt_reg[] = {
 +#ifndef NO_LEGACY
 	{
 		.version       = XTABLES_VERSION,
 		.name          = "conntrack",
@@ -1232,6 +1233,7 @@ static struct xtables_match conntrack_mt
 		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack2_mt_opts,
 	},
 +#endif
 	{
 		.version       = XTABLES_VERSION,
 		.name          = "conntrack",
@@ -1262,6 +1264,7 @@ static struct xtables_match conntrack_mt
 		.alias	       = conntrack_print_name_alias,
 		.x6_options    = conntrack3_mt_opts,
 	},
 +#ifndef NO_LEGACY
 	{
 		.family        = NFPROTO_UNSPEC,
 		.name          = "state",
@@ -1292,6 +1295,7 @@ static struct xtables_match conntrack_mt
 		.x6_parse      = state_ct23_parse,
 		.x6_options    = state_opts,
 	},
 +#endif
 	{
 		.family        = NFPROTO_UNSPEC,
 		.name          = "state",
@@ -1307,6 +1311,7 @@ static struct xtables_match conntrack_mt
 		.x6_parse      = state_ct23_parse,
 		.x6_options    = state_opts,
 	},
 +#ifndef NO_LEGACY
 	{
 		.family        = NFPROTO_UNSPEC,
 		.name          = "state",
@@ -1320,6 +1325,7 @@ static struct xtables_match conntrack_mt
 		.x6_parse      = state_parse,
 		.x6_options    = state_opts,
 	},
 +#endif
 };
 void _init(void)
 Index: iptables-1.4.21/extensions/libxt_CT.c
 ===================================================================
 --- iptables-1.4.21.orig/extensions/libxt_CT.c
 +++ iptables-1.4.21/extensions/libxt_CT.c
@@ -290,6 +290,7 @@ static void notrack_ct2_tg_init(struct x
 }
 static struct xtables_target ct_target_reg[] = {
 +#ifndef NO_LEGACY
 	{
 		.family		= NFPROTO_UNSPEC,
 		.name		= "CT",
@@ -315,6 +316,7 @@ static struct xtables_target ct_target_r
 		.x6_parse	= ct_parse_v1,
 		.x6_options	= ct_opts_v1,
 	},
 +#endif
 	{
 		.family		= NFPROTO_UNSPEC,
 		.name		= "CT",
@@ -329,6 +331,7 @@ static struct xtables_target ct_target_r
 		.x6_parse	= ct_parse_v1,
 		.x6_options	= ct_opts_v1,
 	},
 +#ifndef NO_LEGACY
 	{
 		.family        = NFPROTO_UNSPEC,
 		.name          = "NOTRACK",
@@ -366,6 +369,7 @@ static struct xtables_target ct_target_r
 		.revision      = 0,
 		.version       = XTABLES_VERSION,
 	},
 +#endif
 };
 void _init(void)
 Index: iptables-1.4.21/extensions/libxt_multiport.c
 ===================================================================
 --- iptables-1.4.21.orig/extensions/libxt_multiport.c
 +++ iptables-1.4.21/extensions/libxt_multiport.c
@@ -469,6 +469,7 @@ static void multiport_save6_v1(const voi
 }
 static struct xtables_match multiport_mt_reg[] = {
 +#ifndef NO_LEGACY
 	{
 		.family        = NFPROTO_IPV4,
 		.name          = "multiport",
@@ -497,6 +498,7 @@ static struct xtables_match multiport_mt
 		.save          = multiport_save6,
 		.x6_options    = multiport_opts,
 	},
 +#endif
 	{
 		.family        = NFPROTO_IPV4,
 		.name          = "multiport",